From b8178fe4092743953182a2050dccccd0c275cc64 Mon Sep 17 00:00:00 2001 From: jow Date: Sun, 5 Sep 2010 20:37:44 +0000 Subject: [PATCH] [backfire] firewall: backport SNAT support from trunk git-svn-id: svn://svn.openwrt.org/openwrt/branches/backfire@22939 3c298f89-4303-0410-b956-a3cf2f4a3e73 --- package/firewall/Makefile | 2 +- package/firewall/files/reflection.hotplug | 5 ++++- package/firewall/files/uci_firewall.sh | 25 +++++++++++++++++++---- 3 files changed, 26 insertions(+), 6 deletions(-) diff --git a/package/firewall/Makefile b/package/firewall/Makefile index b0255556a..1c063048b 100644 --- a/package/firewall/Makefile +++ b/package/firewall/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=firewall PKG_VERSION:=1 -PKG_RELEASE:=14 +PKG_RELEASE:=15 include $(INCLUDE_DIR)/package.mk diff --git a/package/firewall/files/reflection.hotplug b/package/firewall/files/reflection.hotplug index 6b1cd60f2..76ef6e7a9 100644 --- a/package/firewall/files/reflection.hotplug +++ b/package/firewall/files/reflection.hotplug @@ -41,7 +41,10 @@ if [ "$ACTION" = "add" ] && [ "$INTERFACE" = "wan" ]; then local src config_get src "$cfg" src - [ "$src" = wan ] && { + local target + config_get target "$cfg" target + + [ "$src" = wan ] && [ "${target:-DNAT}" = DNAT ] && { local dest config_get dest "$cfg" dest "lan" diff --git a/package/firewall/files/uci_firewall.sh b/package/firewall/files/uci_firewall.sh index b9f61bca8..35f743401 100755 --- a/package/firewall/files/uci_firewall.sh +++ b/package/firewall/files/uci_firewall.sh @@ -372,6 +372,7 @@ fw_redirect() { local dest_ip local dest_port dest_port2 local proto + local target config_get src $1 src config_get src_ip $1 src_ip @@ -382,9 +383,25 @@ fw_redirect() { config_get dest_ip $1 dest_ip config_get dest_port $1 dest_port config_get proto $1 proto + config_get target $1 target + [ -z "$src" -o -z "$dest_ip$dest_port" ] && { \ echo "redirect needs src and dest_ip or dest_port"; return ; } + local chain destopt destaddr + if [ "${target:-DNAT}" == "DNAT" ]; then + chain="zone_${src}_prerouting" + destopt="--to-destination" + destaddr="$dest_ip" + elif [ "$target" == "SNAT" ]; then + chain="zone_${src}_nat" + destopt="--to-source" + destaddr="$src_dip" + else + echo "redirect target must be either DNAT or SNAT" + return + fi + find_item "$src" $CONNTRACK_ZONES || \ append CONNTRACK_ZONES "$src" @@ -405,19 +422,19 @@ fw_redirect() { dest_port2="$dest_port_first:$dest_port_last"; } add_rule() { - $IPTABLES -A zone_${src}_prerouting -t nat \ + $IPTABLES -A $chain -t nat \ ${proto:+-p $proto} \ ${src_ip:+-s $src_ip} \ ${src_dip:+-d $src_dip} \ ${src_port:+--sport $src_port} \ ${src_dport:+--dport $src_dport} \ ${src_mac:+-m mac --mac-source $src_mac} \ - -j DNAT --to-destination $dest_ip${dest_port:+:$dest_port} + -j ${target:-DNAT} $destopt $dest_ip${dest_port:+:$dest_port} - [ -n "$dest_ip" ] && \ + [ -n "$destaddr" ] && \ $IPTABLES -I zone_${src}_forward 1 \ ${proto:+-p $proto} \ - -d $dest_ip \ + -d $destaddr \ ${src_ip:+-s $src_ip} \ ${src_port:+--sport $src_port} \ ${dest_port2:+--dport $dest_port2} \